Anthem

Target IP: 10.10.164.252

Challenge Description: Enjoy the Anthem.


Reconnaissance

f613f7834dd1757c9f8602f4d7b5e83e.png
Running sudo nmap -sS 10.10.164.252 -Pn --top-ports=400 -g 80 shows there are only two TCP ports open on the target machine: HTTP and RDP, as shown above. The target machine is blocking the ICMP requests by default, so -Pn flag is used to bypass it.

0b203880060a409149c95a2bff2f0b7b.png
The result above is returned after performing an aggressive scan against the two TCP open ports. I will start enumeration with the HTTP application on port 80.


Enumeration

Port 80: HTTP
1c64d669f99e3e8527c4e4e06735f483.png
The webpage above is shown for this web application. By the looks of it, there are two articles.

90dab9aa4a7796d26bf6d0da0446b693.png
I checked if /robots.txt exists and it worked. The target machine returned the result shown above to me. The string UmbracoIsTheBest! looks interesting as it looks like a password. In the image above, there are hidden directories that are defined not to be crawled.

2c56542549f8c351a2326b8aa78b98cc.png
The article above is about the admin. Doing a Google search for the poem returns the name Solomon Grundy -- Is the admin's name? But what is the admin's email address?

dc159239ea2a3ba1e274d2cda266aac3.png
I found a valid email address of the user Jane Doe: JD@anthem.com at http://10.10.164.252/archive/we-are-hiring/. What if the admin's email address is SG@anthem.com?

4bd7e6640ea128899275d1c4a1e45ad0.png
I used the credentials SG@anthem.com:UmbracoIsTheBest! against the login portal at http://10.10.164.252/umbraco/login.

4b3d18310e50c7dbc3d18d72f462740f.png
And it worked! Now I have access to the CMS web application using the admin's credentials. I uploaded a webshell and I was unable to use it. The target seems to be running the application Umbraco version 7.15.4, but it is not vulnerable. Time to find other exploitation vectors.


Exploitation

0923e29d2c02e83e6316d06ce8cb7d47.png
Using the command xfreerdp /p:UmbracoIsTheBest! /u:sg /v:10.10.164.252 +clipboard /dynamic-resolution /drive:share,/tmp, I connected to the target machine via xfreerdp at port 3389 using SG as the username and UmbracoIsTheBest! as the password! Now I have a foothold on the target machine via RDP.


Privilege Escalation

d55c955db44e74a5a0f4c1f039f01604.png
I browsed to the C:\ drive. I pressed the View options and ticked the Hidden items to display the hidden contents. Doing this reveals a hidden directory called backup, as shown above.

b23aa33abc044b3bb523ef6f7dec9551.png
Browsing to this hidden directory backup contains one text file called restore. However, I am unable to view it. I overcame this by giving the current user enough permission to be able to read this file, as shown above. The steps I executed are listed below:

b68d794b760cb228afe981a867790322.png
After gaining enough permission, the file restore is readable and it contains the content shown above. Is the string ChangeMeBaby1MoreTime a password?

d7a142b42ae14fc46b26f7af6a4ce24e.png
Running net user shows there is a Administrator user. I executed the command runas /u:administrator cmd and it requested me to enter the password of this user, as shown above.

b12619c27dc8c5d6a2128f953ac7d480.png
And using the password ChangeMeBaby1MoreTime against the user Administrator works! It opens a new CMD with the shell as the user Administrator. as shown above. The root.txt flag is shown above.


Flags

fbeaaabb27fabe6c520292fe69117d41.png
The first flag is embedded at the source-code of /archive/we-are-hiring page, as shown above.

88b8162e473bd677b260314997021198.png
Viewing the source-code of http://10.10.164.252/ contains the second flag, as shown above. The third flag is THM{L0L_WH0_D15}. I forgot to obtain a screenshot.

92f95e743b40e95e2656b51fa3fc2e19.png
The fourth flag is located at http://10.10.164.252/archive/a-cheers-to-our-it-department/ as shown above.

56767e8c42c489b0109f6116a33da82e.png
The fifth flag after gaining a foothold on the target machine. This flag is located at the Desktop.

2e85445d25404bd76afefe4bed718f3c.png
The root.txt flag after gaining admin access on the target machine.